There is an unusually thin line between the safety of our digital lives and the rest of the world. A correct username and password are all that separate the ownership of an online identity or device.

So how can digital forensic evidence be admissible in court if anyone can be behind the keyboard? Can their presence be proven?

The Shorthand Answer: Although there are some effective methods of identifying with reasonable suspicion who is behind the keyboard of a device, there is not really an absolute way of being 100% sure besides physically witnessing them. In most cases though, relational evidence is often enough.

Ghost-writer?

A digital device and user account have relatively relaxed forms of authentication if you think about it. As long as you have the credentials to an account, you are able to sign. It doesn’t matter who you actually are in real life, an account is static. Why else have you constantly been told to “not give out your passwords”? It is because common sense states that if someone has your password they can sign into your account. This piece of reality brings forward the question of “how do you know it actually was that person doing it?”. Believe it or not, this is not an uncommon argument used by the accused. It is very easy to argue that your account was ‘hacked’ or it ‘wasn’t you’ behind the keyboard. Technically, these arguments do have some potential for validity.

Claims of being ‘hacked’ can always be further investigated and verified/refuted. Handling the latter argument is a little trickier. Besides having video footage or physically seeing the person at the computer, there is not a foolproof way of showing it was a specific person behind the keyboard. The accused could have left his/her computer unlocked and briefly walked away. Maybe his/her password was simple to unlock or even scribed somewhere on the desk. Regardless, there are many ways someone could have gained access to a user account without it being theirs. Just because activity occurred on a user account, does not necessarily mean it was the person who is associated with that user account. With that being said, there is a semi-methodical approach which involves looking at physical data, relational data, or baseline data.

Physical Data:

Explained well on page 251 here, there are numerous ways that an individual could be placed in a location through digital evidence. Chances are any work environment would have some variance of security controls such as cameras or RFID readers. These controls can provide clear evidence and timestamps of an individual’s presence (or absence). If an individual claims they did not perform an illegal-digital act on their work computer, but were found to have swiped into their work and were caught on camera right before the crime took place, their argument credibility decreases. Data that physically links an individual to a specific location is only limited by imagination. Arrival time at a parking garage meter, visitor sign-in sheets, and witness testimony are just some of the other ways someone can be placed at a location.

Relational Data:

Is there any forensic data on the machine that would help prove the user was actually the one who was performing the actions? Relational data builds relationships with other actions that require authentication (or private knowledge). User login times right before the act, email logins right before the act, legitimate emails sent right before the act, dual factor authentication set on account, or applications on the computer that require login credentials being accessed, could all help prove the user was the legitimate owner of the account or not.

Baseline Data:

Baseline data is referring to the reference of habitual actions on a device, in order to prove a user’s identity. This method is definitely the least effective, but could still hold some valuable weight. Human nature subconsciously sets our lives in routines. Consider the events of a standard morning routine “checking phone”, “making bed” “drinking coffee”, and “showering”. Different people might do these morning rituals in different orders:

(Person 1): Checking phone, making bed, drinking coffee, showering.

(Person 2): Making bed, drinking coffee, checking phone, showering.

(Person 3): Showering, checking phone, drinking coffee, making bed.

Whatever the order of the routine, it is highly likely that each order remains the same each morning for that individual person. The same thing can happen with computer interaction. One person might go on a web browser and check the local news first, check Twitter second, and then review Amazon deals. There is a chance this person does these sames steps in the same order every single morning. Meanwhile another person may do the same routine in a completely unique order. These unique characteristic-routines can be reflected in forensic data . Granted this is a timely and risky approach, it can still be used as a near-last resort! Baselines can also come in handy by emphasizing unusual activities for a particular user. Say an individual normally uses a specific application to do all of their emails everyday. Now suddenly the same user account uses a browser webmail to send a threatening email. This event might stand out to an investigator and give a reason to not dismiss a claim of ‘it wasn’t me, someone else must’ve been on my computer’. Event anomalies can be red flags.

Conclusion:

There is a general expectation that a user should keep his/her accounts protected from alternative individuals. Technology is becoming more increasingly embedded into our daily lives. A user interaction rate suggests there is a higher chance the legitimate owner of a device/account are around the material more. Therefore, although it is possible the actions performed on an account were not done by the actual owner, there is a larger chance it was. Digital criminal acts will continue to be refuted just like normal physical crimes. Similar linking methods are applied when an investigator is trying to prove who was behind a gun or a knife. The collection of surrounding data is key to arguments around ownership of actions. Still, there may be some data which does prove actions were not done by the actual user. In light of this information, a good practice when performing digital forensic work is often to refer the user account directly. “The user account then sent the email”, not “The defendant then sent the email”. Known association of the individual and the user account will make the necessary connection between the two.